Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #32291
Closed
Open
Issue created Sep 18, 2019 by GitLab SecurityBot@gitlab-securitybotReporter

ESCALATED: 2FA not enforced on /profile/applications

HackerOne report #691477 by brdoors3 on 2019-09-10, assigned to hackerjuan:

Hi team,

I found one access control related to your feature 'Enforcing 2FA for all users' on https://gitlab.com/

POC

1 access one group and enforce the 2FA for all users

In this test I used one grace period of 1 hour

2 after 1 hour access again https://gitlab.com

The user will be redirected to https://gitlab.com/profile/two_factor_auth

3 try to access some other areas

All pages redirect to https://gitlab.com/profile/two_factor_auth (expected behavior)

4 access https://gitlab.com/profile/applications

The 2FA is not enforced on this page. I can create and delete applications without any 2FA active

POC video attached

Impact

In this scenario after grace period has elapsed one user can access and make any change on https://gitlab.com/profile/applications

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

  • gitlab.PNG
  • gitlab_poc.mp4
Edited Dec 28, 2019 by GitLab SecurityBot
Assignee
Assign to
Time tracking